CVE-2026-44985

Name of the Vulnerable Software and Affected Versions Dozzle versions prior to 10.5.2

Description The WebSocket upgrader for the '/exec' and '/attach' endpoints accepts upgrade requests from any origin because it uses a custom CheckOrigin function that always returns true. When combined with the JWT cookie using SameSite: Lax, this allows Cross-Site WebSocket Hijacking (CSWSH). An attacker hosting a page on a same-site origin (such as a sibling subdomain or another service on localhost) can initiate a WebSocket connection to the exec endpoint. This connection carries the victim's valid JWT cookie, allowing the attacker to gain interactive shell access to any container the victim is authorized to access.

Recommendations Update to version 10.5.2. As a temporary workaround, restrict access to the '/exec' and '/attach' endpoints to minimize the risk of exploitation.